www.cybersecuritydive.com
Open in
urlscan Pro
2606:4700::6812:d05
Public Scan
Submitted URL: https://sender18.zohoinsights.com/ck1/2d6f.327230a/37e8c9d0-911f-11ed-a815-52540064429e/ec36b3f37423fc71e2024fcdb823c0e788ff27c5/2...
Effective URL: https://www.cybersecuritydive.com/news/cisa-prioritize-vulnerabilities/636485/
Submission: On January 11 via api from US — Scanned from DE
Effective URL: https://www.cybersecuritydive.com/news/cisa-prioritize-vulnerabilities/636485/
Submission: On January 11 via api from US — Scanned from DE
Form analysis 7 forms found in the DOM
GET /search/
<form action="/search/" method="GET" data-ajax="false">
<label for="search-desktop">
<span class="screen-reader-text search">Search</span>
</label>
<input id="search-desktop" type="search" name="q" placeholder="Search" data-role="none">
<button type="submit" value="" data-role="none" class="analytics t-search-navigation-drawer">
<img src="/static/img/menu_icons/search.svg?320116291121" alt="search" height="16" width="16" loading="lazy">
</button>
<img class="close" src="/static/img/menu_icons/close.svg?273117231121" width="16" height="16" loading="lazy">
</form>Name: signup — POST /signup/
<form class="form js-form-email-validate" name="signup" action="/signup/" method="POST" target="_blank">
<label for="id_4a4bbd_email" class="email-input js-email-input">
<span class="screen-reader-text">Email:</span>
<input type="email" name="email" placeholder="Work email address" class="email" required="" id="id_4a4bbd_email">
</label>
<input type="hidden" name="signup_box_location" value="inline">
<input type="hidden" name="signup_initial_url_path" value="/news/cisa-prioritize-vulnerabilities/636485/">
<input type="hidden" name="js_enabled" value="1" id="id_4a4bbd_js_enabled">
<ul class="signup-list list-no-bullets">
<li>
<label><span class="screen-reader-text">Select user consent:</span></label>
<input type="checkbox" name="user_consent" id="id_user_consent-inline" value="1" class="checkbox">
<label for="id_user_consent-inline">
<span class="signup-user-consent_box">
<span> By signing up to receive our newsletter, you agree to our <a href="https://www.industrydive.com/terms-of-use/" target="_blank">Terms of Use</a> and
<a href="https://www.industrydive.com/privacy-policy/" target="_blank">Privacy Policy</a>. You can unsubscribe at anytime. </span>
</span>
</label>
</li>
</ul>
<button class="button button--medium signup-button" type="submit" value="Sign up">Sign up</button>
<label class="error email_error" style="display:none;">A valid email address is required.</label>
<label class="error newsletter-error" style="display:none;">Please select at least one newsletter.</label>
</form>Name: signup — POST /signup/
<form class="form js-form-email-validate" name="signup" action="/signup/" method="POST">
<label for="id_e55962_email" class="email-input js-email-input">
<span class="screen-reader-text">Email:</span>
<input type="email" name="email" placeholder="Work email address" class="email" required="" id="id_e55962_email">
</label>
<input type="hidden" name="signup_box_location" value="elevated_footer">
<input type="hidden" name="signup_initial_url_path" value="/news/cisa-prioritize-vulnerabilities/636485/">
<input type="hidden" name="js_enabled" value="1" id="id_e55962_js_enabled">
<ul class="signup-list list-no-bullets">
<li>
<label><span class="screen-reader-text">Select user consent:</span></label>
<input type="checkbox" name="user_consent" id="id_user_consent-elevated_footer" value="1" class="checkbox">
<label for="id_user_consent-elevated_footer">
<span class="signup-user-consent_box">
<span> By signing up to receive our newsletter, you agree to our <a href="https://www.industrydive.com/terms-of-use/" target="_blank">Terms of Use</a> and
<a href="https://www.industrydive.com/privacy-policy/" target="_blank">Privacy Policy</a>. You can unsubscribe at anytime. </span>
</span>
</label>
</li>
</ul>
<button class="button button--medium signup-button" type="submit" value="Sign up">Sign up</button>
<label class="error email_error" style="display:none;">A valid email address is required.</label>
<label class="error newsletter-error" style="display:none;">Please select at least one newsletter.</label>
</form>Name: signup — POST /signup/
<form class="form js-form-email-validate" name="signup" action="/signup/" method="POST">
<label for="id_ca0212_email" class="email-input js-email-input">
<span class="screen-reader-text">Email:</span>
<input type="email" name="email" placeholder="Work email address" class="email" required="" id="id_ca0212_email">
</label>
<input type="hidden" name="signup_box_location" value="sidebar">
<input type="hidden" name="signup_initial_url_path" value="/news/cisa-prioritize-vulnerabilities/636485/">
<input type="hidden" name="js_enabled" value="1" id="id_ca0212_js_enabled">
<ul class="signup-list list-no-bullets">
<li>
<label><span class="screen-reader-text">Select user consent:</span></label>
<input type="checkbox" name="user_consent" id="id_user_consent-sidebar" value="1" class="checkbox">
<label for="id_user_consent-sidebar">
<span class="signup-user-consent_box">
<span> By signing up to receive our newsletter, you agree to our <a href="https://www.industrydive.com/terms-of-use/" target="_blank">Terms of Use</a> and
<a href="https://www.industrydive.com/privacy-policy/" target="_blank">Privacy Policy</a>. You can unsubscribe at anytime. </span>
</span>
</label>
</li>
</ul>
<button class="button button--medium signup-button" type="submit" value="Sign up">Sign up</button>
<label class="error email_error" style="display:none;">A valid email address is required.</label>
<label class="error newsletter-error" style="display:none;">Please select at least one newsletter.</label>
</form>Name: signup — POST /signup/
<form class="form js-form-email-validate" name="signup" action="/signup/" method="POST">
<label for="id_4229b5_email" class="email-input js-email-input">
<span class="screen-reader-text">Email:</span>
<input type="email" name="email" placeholder="Work email address" class="email" required="" id="id_4229b5_email">
</label>
<input type="hidden" name="signup_box_location" value="elevated_footer">
<input type="hidden" name="signup_initial_url_path" value="/news/cisa-prioritize-vulnerabilities/636485/">
<input type="hidden" name="js_enabled" value="1" id="id_4229b5_js_enabled">
<ul class="signup-list list-no-bullets">
<li>
<label><span class="screen-reader-text">Select user consent:</span></label>
<input type="checkbox" name="user_consent" id="id_user_consent-elevated_footer" value="1" class="checkbox">
<label for="id_user_consent-elevated_footer">
<span class="signup-user-consent_box">
<span> By signing up to receive our newsletter, you agree to our <a href="https://www.industrydive.com/terms-of-use/" target="_blank">Terms of Use</a> and
<a href="https://www.industrydive.com/privacy-policy/" target="_blank">Privacy Policy</a>. You can unsubscribe at anytime. </span>
</span>
</label>
</li>
</ul>
<button class="button button--medium signup-button" type="submit" value="Sign up">Sign up</button>
<label class="error email_error" style="display:none;">A valid email address is required.</label>
<label class="error newsletter-error" style="display:none;">Please select at least one newsletter.</label>
</form>GET /search/
<form action="/search/" method="GET" data-ajax="false">
<label for="search-mobile">
<span class="screen-reader-text">Search</span>
<input id="search-mobile" type="search" name="q" placeholder="Search" data-role="none">
</label>
<button type="submit" value="" data-role="none" class="analytics t-search-navigation-mobile">
<img src="/static/img/menu_icons/search.svg?320116291121" width="15" height="15" alt="search">
</button>
</form>Name: signup — POST /signup/
<form class="form js-form-email-validate" name="signup" action="/signup/" method="POST">
<label for="id_91a27c_email" class="email-input js-email-input">
<span class="screen-reader-text">Email:</span>
<input type="email" name="email" placeholder="Work email address" class="email" required="" id="id_91a27c_email">
</label>
<input type="hidden" name="signup_box_location" value="integrated_menu">
<input type="hidden" name="signup_initial_url_path" value="/news/cisa-prioritize-vulnerabilities/636485/">
<input type="hidden" name="js_enabled" value="1" id="id_91a27c_js_enabled">
<ul class="signup-list list-no-bullets">
<li>
<label><span class="screen-reader-text">Select user consent:</span></label>
<input type="checkbox" name="user_consent" id="id_user_consent-integrated_menu" value="1" class="checkbox">
<label for="id_user_consent-integrated_menu">
<span class="signup-user-consent_box">
<span> By signing up to receive our newsletter, you agree to our <a href="https://www.industrydive.com/terms-of-use/" target="_blank">Terms of Use</a> and
<a href="https://www.industrydive.com/privacy-policy/" target="_blank">Privacy Policy</a>. You can unsubscribe at anytime. </span>
</span>
</label>
</li>
</ul>
<button class="button button--medium signup-button" type="submit" value="Sign up">Sign up</button>
<label class="error email_error" style="display:none;">A valid email address is required.</label>
<label class="error newsletter-error" style="display:none;">Please select at least one newsletter.</label>
</form>Text Content
Skip to main content
CONTINUE TO SITE ➞
* Deep Dive
* Library
* Topics
Menu
* Search
* Sign up
Search
* Strategy
* Breaches
* Vulnerability
* Cyberattacks
* Threats
* Leadership & Careers
* Policy & Regulation
An article from
CISA WANTS TO CHANGE HOW ORGANIZATIONS PRIORITIZE VULNERABILITIES
Federal authorities want to take the guesswork and manual decision making
processes out of the messy world of vulnerabilities.
Published Nov. 14, 2022
Matt Kapko Reporter
*
*
*
*
*
Just_Super via Getty Images
Vulnerability management is a whac-a-mole pursuit for many organizations, but
federal authorities are trying to change that.
The Cybersecurity and Infrastructure Security Agency on Thursday released its
guide for Stakeholder-Specific Vulnerability Categorization and outlined three
areas of focus for continued improvement.
The vulnerability-patch cycle places a heavy burden on cybersecurity
professionals, and many organizations struggle to identify and patch the
vulnerabilities that are most critical to their business and risk profile.
To improve vulnerability management, organizations need greater automation in
line with the Common Security Advisory Framework (CSAF), widespread adoption of
the Vulnerability Exploitability eXchange (VEX) and resource prioritization,
Eric Goldstein, executive assistant director for cybersecurity at CISA, said in
a blog post.
CISA’s push to make vulnerability data machine-readable could allow
organizations to automate mitigation and patch processing and deploy resources
in line with their respective risk profile.
“By publishing security advisories using CSAF, vendors will dramatically reduce
the time required for enterprises to understand organization impact and drive
timely remediation,” Goldstein said in the blog post.
The impact of a vulnerability can also be clarified through VEX advisories that
indicate which products are affected and if vulnerabilities are exploitable.
“The ultimate goal of VEX is to support greater automation across the
vulnerability ecosystem, including disclosure, vulnerability tracking and
remediation,” Goldstein said.
Organizations can prioritize vulnerability management activities based on the
SVCC, which outlines exploitation status and other pertinent information.
Once CISA becomes aware of a vulnerability, it assigns a score and tags one of
four possible decisions to that vulnerability: track, track (with closer
monitoring for changes), attend or act.
The agency published a calculator and decision tree to guide organizations
through the likelihood of exploitation and potential impact to a mission or
well-being.
Keep up with the story. Subscribe to the Cybersecurity Dive free daily
newsletter
Email:
* Select user consent: By signing up to receive our newsletter, you agree to
our Terms of Use and Privacy Policy. You can unsubscribe at anytime.
Sign up A valid email address is required. Please select at least one
newsletter.
CYBERSECURITY PROS SUPPORT CISA’S VULNERABILITY APPROACH
Analysts and threat researchers view CISA’s vulnerability categorization effort
as a necessary step to help organizations better understand their risk. The
resource could also provide businesses the opportunity to patch or remediate the
most pressing vulnerabilities before adversaries create a working exploit.
“Cybersecurity professionals are currently struggling in the vulnerability-patch
cycle with too much information about too many vulnerabilities on too many
products from too many different sources in too many forms,” Christopher Budd,
senior manager of threat research at Sophos, said via email.
CISA’s vulnerability management advances will increase efficiency by making the
process more standardized and using machine intelligence to process and analyze
information, Budd said.
Andrew Barratt, VP of technology and enterprise accounts at cybersecurity
advisory firm Coalfire, said the decision tree will help organizations
categorize vulnerabilities and prioritize action. It also allows for multiple
vulnerability impacts to be considered as part of an attack chain.
“As threats are very dynamic by their nature it’s important that this data can
have real-time, intelligence based updates made so that a decision outcome can
be adjusted. What we thought might be the case yesterday might not be the case
tomorrow,” Barratt said via email.
Vulnerability management often requires significant manual effort and a “common
framework can allow for universal communication and automation to rapidly speed
up our time to respond,” John Bambenek, principal threat hunter at Netenrich,
said via email.
* post
* share
* tweet
* print
* email
Filed Under: Vulnerability, Policy & Regulation
CYBERSECURITY DIVE NEWS DELIVERED TO YOUR INBOX
Get the free daily newsletter read by industry experts
Email:
* Select user consent: By signing up to receive our newsletter, you agree to
our Terms of Use and Privacy Policy. You can unsubscribe at anytime.
Sign up A valid email address is required. Please select at least one
newsletter.
EDITORS’ PICKS
* matejmo via Getty Images
RISK OF CYBERATTACK EMERGES AS TOP CONCERN OF US EXECUTIVES
A PwC study shows cyber risk is a top concern among entire C-suite and
corporate boards as companies are spending additional funds to boost
resilience.
By David Jones • Aug. 19, 2022
* greenbutterfly/iStock/Getty Images Plus via Getty Images
WHAT IS PHISHING-RESISTANT MULTIFACTOR AUTHENTICATION? IT’S COMPLICATED.
Physical keys with cryptographic protocols can deliver higher levels of
assurance, but organizations shouldn’t conflate resistance with
infallibility.
By Matt Kapko • Oct. 10, 2022
GET THE FREE NEWSLETTER
Subscribe to Cybersecurity Dive for top news, trends & analysis
Email:
* Select user consent: By signing up to receive our newsletter, you agree to
our Terms of Use and Privacy Policy. You can unsubscribe at anytime.
Sign up A valid email address is required. Please select at least one
newsletter.
MOST POPULAR
1. What we know about the LastPass breach (so far)
2. CircleCI incident raises further concerns about security of software
development
3. What’s at stake for 33M compromised LastPass users?
4. Tech priorities out of sync with security needs, CISA director says
LIBRARY RESOURCES
* Trendline
The evolving role of CISOs
* Webinar - on demand
CIOs: New Solutions in Recovering from Cyberattacks Faster Custom content for
Rubrik
* Playbook
How Banks Are Saving With Payment Fraud Intelligence Custom content for
Recorded Future
View all
COMPANY ANNOUNCEMENTS
* Traceable AI Addresses Newest FFIEC Compliance Guidelines Highlighting API
Security for Financ… From Traceable AI
* Echelon Risk + Cyber Welcomes Matt Donato as Partner, Focused on Growth From
Echelon Risk + Cyber
* DigiCert experts forecast future threat vectors most likely to affect
organizations worldwide … From DigiCert
View all | Post a press release
WHAT WE’RE READING
* Reuters Hackers hit websites of Danish central bank, other banks
* The Record from Recorded Future News British company that helps make
semiconductors hit by cyber incident
* TechCrunch Microsoft ends Windows 7 security updates
View all
INDUSTRY INTEL
* Unlocking the Magic to High-Fidelity Alerts Webinar - on demand • Provided by
Snowflake
CYBERSECURITY DIVE NEWS DELIVERED TO YOUR INBOX
Get the free daily newsletter read by industry experts
Email:
* Select user consent: By signing up to receive our newsletter, you agree to
our Terms of Use and Privacy Policy. You can unsubscribe at anytime.
Sign up A valid email address is required. Please select at least one
newsletter.
COMPANY ANNOUNCEMENTS
View all | Post a press release
Traceable AI Addresses Newest FFIEC Compliance Guidelines Highlighting API
Security for Financ…
From Traceable AI
January 10, 2023
Echelon Risk + Cyber Welcomes Matt Donato as Partner, Focused on Growth
From Echelon Risk + Cyber
January 04, 2023
DigiCert experts forecast future threat vectors most likely to affect
organizations worldwide …
From DigiCert
December 22, 2022
Editors’ picks
* matejmo via Getty Images
RISK OF CYBERATTACK EMERGES AS TOP CONCERN OF US EXECUTIVES
A PwC study shows cyber risk is a top concern among entire C-suite and
corporate boards as companies are spending additional funds to boost
resilience.
By David Jones • Aug. 19, 2022
* greenbutterfly/iStock/Getty Images Plus via Getty Images
WHAT IS PHISHING-RESISTANT MULTIFACTOR AUTHENTICATION? IT’S COMPLICATED.
Physical keys with cryptographic protocols can deliver higher levels of
assurance, but organizations shouldn’t conflate resistance with
infallibility.
By Matt Kapko • Oct. 10, 2022
Latest in Vulnerability
* Rackspace confirms ransomware attack hit a small percentage of its Hosted
Exchange customers
By David Jones
* Rackspace identifies ransomware threat actor behind December attack via
Exchange
By David Jones
* Cybersecurity trends in 2023 that will directly impact everyday life
By Sue Poremba
* New exploit for Microsoft’s ProxyNotShell mitigation side steps fix
By David Jones
--------------------------------------------------------------------------------
*
*
*
*
EXPLORE
* About
* Editorial Team
* Contact Us
* Newsletter
* Article Reprints
* Press Releases
* What We’re Reading
REACH OUR AUDIENCE
* Advertising
* Post a press release
RELATED PUBLICATIONS
* CIO Dive
--------------------------------------------------------------------------------
image/svg+xml
Industry Dive is an Informa business
© 2023 Industry Dive. All rights reserved. | View our other publications |
Privacy policy | Terms of use | Take down policy.
Cookie Preferences / Do Not Sell
Search
* Home
* Topics
* Strategy
* Breaches
* Vulnerability
* Cyberattacks
* Threats
* Leadership & Careers
* Policy & Regulation
* Deep Dive
* Library
GET CYBERSECURITY DIVE IN YOUR INBOX
The free newsletter covering the top industry headlines
Email:
* Select user consent: By signing up to receive our newsletter, you agree to
our Terms of Use and Privacy Policy. You can unsubscribe at anytime.
Sign up A valid email address is required. Please select at least one
newsletter.